|
|
There are two ways to execute CiscoSecure User Administration functions.
The User Administration Interface GUI is described in the Using the HTML User Administration Interface publication.
This document describes the Command-Line Interface, which writes commands together with arguments at the UNIX shell to create scripts or issue commands.
The command line commands included here are:
Use this document in conjunction with the CiscoSecure ACS 2.1.2 User Guide and any other applicable documents and quick reference guides.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more up to date than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription.
You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com. From here, you can send Cisco your comments on any document by clicking the Feedback button, selecting MarketPlace, and clicking Enter the feedback form.
If you have questions or need help, refer to the section, "Cisco Connection Online" at the end of this document.
To add a user or group to the CiscoSecure database, use the AddProfile command.
| Switch | Command Type | Description |
|---|---|---|
| -h | host (optional) | Name of the host where the DBServer is located. Required when using command remotely. |
| -p | port | DBServer port with which to communicate. |
| -id | client (optional) | Client ID. Required when using command remotely. |
| -u | user | Name of user to add. If a -g switch is used, this cannot appear. |
| -g | group | Name of group to add. If a -u switch is used, this cannot appear. |
| -pr | parent group (optional) | Name of group to which the user will be added. Not specifying a group adds the profile to Root. |
| -pw | password pair (optional)
type, password or type | Defines which passwords to add to the user's profile. This switch takes the form of type, password. This switch also supports adding password types (for example, SYSTEM) that don't require a password. |
| -a | profile info (optional) | Additional profile information to add to the user's profile. This switch is free formatted to provide some additional user flexibility. Since the profile protocol requires a new line to signify an end of statement, a \n will be used to generate a new line in the profile statement. For example:
shell = {\nAny 0700 - 0900\n}
results in
shell = {
Any 0700 - 0900 } |
| -s | additional profile info (optional) | This switch allows the user to add additional profile information from either Standard Input or a specified file. Using the -s switch without any parameters will use the information from Standard Input as the additional profile information. Using -s followed by a file will read the file as additional information. This switch can be used in conjunction with the -a switch. |
| -q | suppress output (optional) | Used to suppress user output. |
| Message | RC | Description |
| No Error | 0 | If an error does not occur, the command line will return a 0 to indicate a user has been successfully added. |
| Input Error | 1 | There is an error in the data provided by the users. |
| Connection Error | 66 | Cannot connect to the database server. |
| Socket Error | 64 | Error occurred establishing a socket. |
| Stream Error | 65 | Error occurred establishing a data stream. |
| Password Error | 13 | An invalid password type or password is entered. |
| User not added | 2 | User was not successfully added. |
In the following example, issued from a UNIX workstation, user, user-joe, is added to the parent group1 located on the server mymachine. The password specified for user-joe is joepw11 with ARAP authentication. The service specified is a default protocol with the noted permissions:
AddProfile -h mymachine -p 9900 -id 100 -u user_joe -pr group1 -pw arap,joepw11 -a
'service= shell {\n default attribute = permit \nset priv-lvl=15\n}'
In the second example, group acctg1 is added to parent group1. Since no parent is specified, acctg1 is added to the Root:
AddProfile -h mymachine -p 9900 -id 100 -g acctg1 -pw arap,joepw11 -a
'service = shell {\n default attribute = permit \nset nocallback-verify = 1 \n}'
To delete a user from the CiscoSecure database, use the DeleteProfile command.
| Switch | Command Type | Description |
-h | host (optional) | Name of the host where the DBServer is located. Required when using the command remotely. |
| -p | port | DBServer port with which to communicate. |
| -id | clientid (optional) | Client's ID. |
| -u | user | Name of user to delete. If the -g switch is used, this cannot appear. |
| -g | group | Name of group to delete. If the -u switch is used, this cannot appear. |
| -q | suppress output (optional) | Used to suppress user output. |
| Message | RC | Description |
| No Error | 0 | If an error does not occur, the command line will return a 0 to indicate a user has been successfully deleted. |
| Input Error | 1 | There is an error in the data provided by the users. |
| Connection Error | 66 | Cannot connect to the database server. |
| Socket Error | 64 | Error occurred establishing a socket. |
| Stream Error | 65 | Error occurred when creating a data stream between the command line and the DBServer. |
| No user name | 3 | The command line switches did not contain a username. |
| User not deleted | 2 | User was not successfully deleted. |
In the following example, user-joe is deleted from the database:
DeleteProfile -h mymachine -p 9900 -id 100 -u user_joe
To view a user or group profile stored in the CiscoSecure database server, use the ViewProfile command.
| Switch | Command Type | Description |
|---|---|---|
-h | host (optional) | Name of the host where the DBServer is located. Required when using the command remotely. |
| -p | port | DBServer port with which to communicate. |
| -id | clientid (optional) | Client ID. Required when using the command remotely. |
| -u | user (optional) | Name of user to view. If the -g switch is used, this cannot appear. |
| -g | group (optional) | Name of group profile to display. If the -u switch is used, this cannot appear. |
| -q | suppress output
(optional) | Used to suppress user output. |
| Message | RC | Description |
|---|---|---|
| No Error | 0 | If an error does not occur, the command line returns 0. |
| Input Error | 1 | There is an error in the data provided by the users. |
| Connection Error | 66 | Cannot connect to the database server. |
| Socket Error | 64 | Error occurred establishing a socket. |
| Stream Error | 65 | Error occurred when creating a data stream between the command line and the DBServer. |
| User or Group not found | 3 | The DBServer could not find the user or group requested. |
In the following example, the user profile user_joe is requested:
ViewProfile -h mymachine -p 9900 -id 100 -u user_joe
In the second example, the command requests a view of a group profile, joes_group:
ViewProfile -h mymachine -p 9900 -id 100 -g Joes_group
To change the parent of a group or user within the CiscoSecure database, use the ChangeParent command. This command is generally used to transfer a user from one group to another.
To change a user's parent:
ChangeParent [-h host] -p port [-id client] -u user -dg destination-groupTo change a group's parent:
ChangeParent [-h host] -p port [-id client] -sg sourcegroup| Switch | Command Type | Description |
|---|---|---|
-h | host (optional) | Name of the host where the DBServer is located. |
| -p | port | DBServer port with which to communicate. |
| -id | clientid (optional) | Client ID. |
| -u | user (optional) | Name of user to move. This command line will only support one -u or -sg switch at a time. |
| -sg | source group
(optional) | Name of group to which user will be added. If no group is specified, the user is added to Root. |
| -dg | destination group
(optional) | The group who will become the parent of the group or user specified in either the -u or -sg switch. |
| -q | suppress output
(optional) | Used to suppress user output. |
| Message | RC | Description |
|---|---|---|
| No Error | 0 | If an error does not occur, the command line will return a 0. |
| Input Error | 1 | There is an error in the data provided by the users. |
| Connection Error | 66 | Cannot connect to the database server. |
| Socket Error | 64 | Error occurred establishing a socket. |
| Stream Error | 65 | Error occurred establishing a data stream. |
| Profile not moved | 3 | The group or user profile was not moved to its destination group. |
| Destination group does not exist | 5 | The destination group profile does not exist in the CiscoSecure database. |
| Profile does not exist | 4 | User or group profile does not exist. |
In the following example, the user user_joe is shifted from its old parent, oldparent, to its new parent, newparent:
ChangeParent -h mymachine -p 9900 -id 100 -u user_joe -sg oldparent -dg newparent
In the following example, the group child_group is shifted from its old parent, oldparent, to its new parent, newparent:
ChangeParent -h mymachine -p 9900 -id 100 -g childgroup -sg oldparent -dg newparent
To change a user or group password, use the ChangePassword command.
To change a user password:
ChangePassword [-h host] -p port [-id client] -u userTo change a group password:
ChangePassword [-h host] -p port [-id client] -g group| Switch | Command Type | Description |
|---|---|---|
| -h | host (optional) | Name of the host where the DBServer is located. If this is not. |
| -p | port | DBServer port to communicate with. |
| -id | clientid (optional) | Client ID. |
| -u | user | User's name whose passwords are being changed. |
| -g | group | Group's name whose passwords are being changed. |
| -pr | Protocol type | Type of protocol being changed, such as CHAP, ARAP, PAP, and so on. |
| -opw | old password | Old password. |
| -npw | new password | New password. |
| -q | suppress output
(Optional) | Used to suppress user output. |
| Message | RC | Description |
|---|---|---|
| No Error | 0 | If an error does not occur, the command line will return a 0 indicating the password has been successfully changed. |
| Input Error | 1 | There is an error in the data provided by the users. |
| Connection Error | 66 | Cannot connect to the database server. |
| Socket Error | 64 | Error occurred establishing a socket. |
| Stream Error | 65 | Error occurred establishing a data stream between the ChangePassword and CiscoSecure. |
| Password Error | 3 | An invalid password type or password was provided in the -opw, -npw, or -pr switches. |
| Incorrect Old Password | 4 | The password supplied using the -opw switch does not match the user's current password for the password validation type provided in -pr. |
| Password Not Changed | 5 | Password did not change. |
In the following example, the password of the user user_joe is changed from joesold1 to joesnew1:
ChangePassword -h mymachine -p 9900 -id 100 -u user_joe -pr ARAP -opw joesold1 -npw joesnew1
In the second example, the password of the group group1 is changed from oldgroup1 to newgroup1:
ChangePassword -h mymachine -p 9900 -id 100 -g group1 -pr ARAP -opw oldgroup1 -npw newgroup1
These errors are generated by invalid command syntax. Use these errors to diagnose and troubleshoot problems that may arise while using the command line.
| Error Message | RC | Meaning/Solution |
|---|---|---|
| Too many values | 11 | Too many values supplied on the command line. Check the syntax for this command and eliminate the unsupported values. |
| Invalid port | 12 | An invalid port was specified. Enter the correct port number. |
| Invalid parameter | 14 | Invalid parameter switch has been entered. Check the syntax for this command and eliminate the unsupported switch. |
| Invalid client ID | 15 | Client ID provided is invalid. Make sure the ID you entered is within the accepted range or is not already being used by another client. |
| Invalid number | 16 | An invalid number was passed in a command line switch. Make sure that one of the values you entered at the command line was not out of range or in an incorrect format. |
| Parameter already supplied | 17 | A parameter switch was used more than once. Eliminate the redundant switch. |
| Invalid character | 18 | A parameter containing an invalid character was entered. Remove or edit the character(s) which are not allowed. |
| Invalid protocol | 19 | A parameter switch value contains an invalid protocol. Check the command line options to make sure you have entered an acceptable protocol choice. For a complete list of acceptable protocols, refer to the CiscoSecure User Administration Interface addendum. |
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
|
|